Description
Navicat for Oracle 12.1.15 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the password field. Attackers can paste a buffer of 550 repeated characters into the password parameter during Oracle connection configuration to trigger an application crash.
Published: 2026-03-30
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

Navicat for Oracle 12.1.15 contains a denial of service flaw that permits a local attacker to crash the graphical client by submitting an excessively long password string while configuring an Oracle connection. The vulnerability results from insufficient input validation when processing the password field, allowing an attacker to supply a buffer of 550 repeated characters that triggers an application crash. The impact is a temporary loss of service for users of the client, potentially disrupting database administration tasks.

Affected Systems

The flaw impacts Navicat for Oracle, specifically version 12.1.15. Users employing this edition of the database client are susceptible to the described denial of service when they have local access to the machine.

Risk and Exploitability

The vulnerability scores a CVSS base of 6.9, indicating a moderate severity. Its exploitability is limited to local users with the ability to enter configuration data for Oracle connections; no remote attack vector is documented. EPSS data is not available and the issue is not listed in the CISA KEV catalog, suggesting it is not a widely exploited or actively used vulnerability. An attacker can trigger the crash by simply entering a 550-character repeated string in the password field during a standard connection setup.

Generated by OpenCVE AI on March 30, 2026 at 12:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Navicat for Oracle to the newest release that addresses the denial‑of‑service vulnerability.
  • If an update is unavailable, restrict local users from launching the client or limit write access to its configuration directories.
  • Monitor the client for unexpected crashes and review logs for repeated attempts to enter overly long passwords.

Generated by OpenCVE AI on March 30, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Description Navicat for Oracle 12.1.15 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the password field. Attackers can paste a buffer of 550 repeated characters into the password parameter during Oracle connection configuration to trigger an application crash.
Title Navicat for Oracle 12.1.15 Password Field Denial of Service
First Time appeared Navicat
Navicat navicat
Weaknesses CWE-620
CPEs cpe:2.3:a:navicat:navicat:12.1.15:*:*:*:*:*:*:*
Vendors & Products Navicat
Navicat navicat
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Navicat Navicat
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-30T13:53:07.017Z

Reserved: 2026-03-30T10:55:24.174Z

Link: CVE-2019-25653

cve-icon Vulnrichment

Updated: 2026-03-30T13:52:57.239Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-30T12:16:17.953

Modified: 2026-03-30T13:26:07.647

Link: CVE-2019-25653

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:55:48Z

Weaknesses